diff --git a/private/apexd.te b/private/apexd.te
index dcec2487bd58c8d9bd5f7810b324c71356d12207..adf6c9758f1274affc234e3fd68ba919072609af 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -29,6 +29,9 @@ allow apexd apex_mnt_dir:dir create_dir_perms;
 # allow apexd to mount in /apex
 allow apexd apex_mnt_dir:filesystem { mount unmount };
 allow apexd apex_mnt_dir:dir mounton;
+# allow apexd to create symlinks in /apex
+allow apexd apex_mnt_dir:lnk_file create_file_perms;
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
@@ -40,3 +43,4 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index fa21e1f370ebf9191ac6ca048cf2e3a195bfa30a..680d5e48be2ff9b50e5fef72fd009ececf4c0c8c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -343,6 +343,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
 # Under ASAN, /system/asan.options needs to be globally accessible.
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
 ###
 ### neverallow rules
 ###
diff --git a/public/init.te b/public/init.te
index eb27dbd329d544234a255bf6be10495e0f53abc0..430b120ef63f6cc232110a6be8421a86d504a0ea 100644
--- a/public/init.te
+++ b/public/init.te
@@ -205,6 +205,7 @@ allow init {
 
 allow init {
   file_type
+  -apex_mnt_dir
   -app_data_file
   -exec_type
   -iorapd_data_file
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 8cd9b473e6c4c4fcc4d9806209702677bb5528e4..c5cad47b0f4739ea48bd39d016fd301ced88c68f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -78,6 +78,7 @@ allow vendor_init {
 
 allow vendor_init {
   file_type
+  -apex_mnt_dir
   -core_data_file_type
   -exec_type
   -system_file_type